How to Ensure Your Email and Other ePHI Are HIPAA Compliant

With the right cloud-based email-encryption and security solution, protecting your patients’ health data — and bringing your email practices into full HIPAA compliance — can be easier and less expensive than you might think.

Do you know if the patient appointments your staff makes by email are compliant with HIPAA’s Privacy and Security Rules? Do you have processes to ensure digital copies of your patient records are fully secure — both in transit and while in storage? Are you certain your employees are not unknowingly violating any of HIPAA’s many “required” provisions, such as sharing login information to access patient information? With HIPAA’s vast and complex set of rules, complying with the act can be difficult, even for organizations genuinely trying to do so.

Fortunately, with the right cloud-based email-encryption and security solution, protecting your patients’ health data — and bringing your email practices into full HIPAA compliance — can be easier and less expensive than you might think.

—————————————————

First, the bottom line: Not all email systems — including many of those designed for professional-level, enterprise use — are HIPAA compliant.

Assuming that within your practice you are sending email between employees using a secure server, those messages do not need to be encrypted as your workforce is a part of your “Covered Entity” status and authorized under HIPAA to send, receive and view your organization’s confidential Electronic Patient Health Information (ePHI).

But what about all of the other messages your practice sends to and receives from third parties every day, messages that would qualify as ePHI? These types of emails would include:

Payment claims submitted to insurance providers for patient services for procedures and treatments

Such messages, and any other email containing ePHI sent out of your network — to a doctor, insurance company, any other third party, or even sent remotely to a member of your own staff — must be encrypted, according to HIPAA’s Omnibus Rule.

In this paper we’ll discuss HIPAA’s email-security requirements as they relate to your practice, the steps you must take to comply, and why simply encrypting your messages isn’t sufficient. Then we’ll offer a solution that can make the entire compliance process easy and cost-effective.

But before getting into the details of HIPAA’s specific email rules, here is a brief overview of the act and how it regulates Covered Entities’ protection of their patients’ electronic data.

A Brief Overview of HIPAA

Passed by Congress in 1996, The Health Insurance Portability and Accountability Act (HIPAA) is a set of rulings that set national standards to protect the privacy of patients’ health information. The act secures patients’ rights regarding their health-related data, including when and with whom it can be shared. HIPAA also requires doctors, pharmacists, health insurers and other providers to explain to patients their rights under the act regarding use of their health information.

The Privacy Rule, a regulation implemented to help enforce HIPAA, establishes rules for the use and disclosure of patient data — called Protected Health Information (PHI) — for Covered Entities. The Privacy Rule applies to all forms of PHI, whether electronic, written, or verbal. A related provision, called the Security Rule, sets security standards for managing health information in electronic form.

More recently, the Health Information Technology for Economic and Clinical Health, or HITECH Act, and the HIPAA Omnibus Rule, have been enacted — which strengthen HIPAA’s Privacy and Security Rules and increase the severity of penalties for violating patients’ rights under HIPAA.

These rules are administered and enforced by The Department of Health and Human Services Office for Civil Rights (OCR).

HIPAA and Email Security

Scattered among HIPAA’s hundreds of pages of rules and regulations are provisions specifically relating to a Covered Entity’s use of email to transmit (and store) ePHI. Among the various aspects of email security covered throughout the act are references to the following:

Access Control: 164.312(a)(1)

Person or Entity Authentication 164.312(d)

Integrity 164.312(c)(1)

Transmission Security 164.312(e)(1)

Audit Controls: 164.312(b)

So, Are You Fully Compliant With HIPAA’s Privacy, Security and HITECH Rules?

Taking into account the umbrella of HIPAA-related rulings (including the Privacy Rule, Security Rule, HITECH and the Omnibus Rule), Covered Entities like yours face a difficult task determining how to ensure they are fully compliant. In fact, according to a report by the Healthcare Billing & Management Association (HMBA), the majority of Covered Entities and their Business Associates remain non-compliant with HIPAA.

Let us examine what HIPAA has to say about each of the provisions above. Then we will offer you a comprehensive email-security and encryption service that can address them all, and bring your practice into full email compliance with HIPAA.

Five HIPAA Email-Security Provisions:

1. Access Control

HIPAA’s section 164.312(a)(1) states the Covered Entity must “Assign a unique name and/or number for identifying and tracking user identity.”

What this means: Your organization’s workforce must use unique usernames and passwords for each staff member’s account. That means shared logins are not allowed.

2. Person or Entity Authentication

Section 164.312(d), Person or Entity Authentication, states that a Covered Entity must “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

What this means: Your organization must also strictly govern (and then control) which users within your practice are granted access to ePHI. This also means that data must be both secured and encrypted both in transit and then in storage, to ensure only the intended recipients (e.g., your authorized staff members) are allowed to access the data.

What this means: Your practice must have a process in place to protect ePHI in transit and in storage, to keep unauthorized third parties from accessing, altering or destroying such data.

4. Transmission Security

HIPAA’s section 164.312(e)(1), relating to Transmission Security, calls for Covered Entities to “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network, ” and to “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

What this means: You will need SSL-based encryption for any ePHI transmitted out of your network — to patients, insurance providers, other healthcare providers, or any third party authorized to receive your patients’ data.

5. Audit Controls

Section 164.312(b), regarding Audit Controls, states a Covered Entity must “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

What this means: You will need a system that produces detailed login audit trails, including date, time and IP address of each login, as well as all trails of all sent and received messages.

How to Bring Your Practice into Full Compliance With HIPAA’s Email-Security Rules

Given all of the HIPAA-related email provisions noted above, you can see that merely encrypting your email is not sufficient to bring your practice into compliance. A Covered Entity must also deploy a solution that can restrict access and authenticate users, protect electronic messages both in storage and while in transit, and produce ongoing records of all transmissions of protected ePHI.

One solution that a Covered Entity can quickly and cost-effectively deploy to address all of these issues, and become fully compliant with HIPAA’s email-security rules, is FuseMail®, a leading managed email solutions provider from cloud services pioneer j2 Global®. FuseMail’s two related services — CypherSMART® and SecureSMART® — can deliver your practice a comprehensive program for email encryption and security that is fully HIPAA compliant.

Let’s review each of the major areas in which HIPAA regulates email security of ePHI, and how FuseMail’s solutions address them all.

HIPAA REQUIRES

FUSEMAIL DELIVERS

Access Control: The business must implement unique IDs for accessing ePHI, for identifying and tracking user actions.

Person or Entity Authentication: The business must implement procedures to verify a person or entity seeking access to electronic protected health information is the one claimed.

FuseMail’s SecureSMART gives administrators username-and-password controls, to restrict access to ePHI stored in FuseMail’s data-security systems to authorized users, and to track and verify access at each attempt. The system also employs strict physical security of data protected at FuseMail’s facilities.

Integrity Control: The business must implement policies to secure electronic protected health information from improper alteration or destruction.

Transmission Security: The business must implement technical security to guard against unauthorized access to electronic protected health information transmitted electronically.

FuseMail’s CypherSMART service provides the highest levels of email encryption for any message transmitted, which can be triggered manually or automatically based on message content, to ensure all ePHI records are indeed emailed securely.

Audit Controls: The business must implement procedures that record and examine activity in information systems that contain or use electronic protected health information.

FuseMail’s SecureSMART provides full reporting on user access and transmission of ePHI stored in FuseMail’s systems, producing a detailed audit trail and which administrators can access anytime via their FuseMail web dashboard.

Conclusion: The Right Solution for Email Encryption and Security Can Quickly Bring Your Practice into Full HIPAA Email Compliance

One of the simplest, most cost-effective ways to bring your practice into compliance with HIPAA’s various provisions regarding ePHI email is to implement an email security and encryption solution.

The CypherSMART and SecureSMART solutions from managed email solutions provider FuseMail operate entirely in the cloud, require no hardware or software installations at your site, and can be deployed in minutes with virtually any standard email program.

COMPANY OVERVIEW

FuseMail provides a comprehensive suite of cloud-based hosted email security solutions for businesses, including CypherSMART and SecureSMART to help Covered Entities comply with HIPAA.

FuseMail is the managed-email-solutions division of j2 Global, Inc. (NASDAQ: JCOM), the world’s leading provider of cloud-based, business-critical communications and storage services.

j2’s Global network spans more than 49 countries on six continents. Serving more than 12 million subscribers worldwide, j2 has offices in nine cities around the world, accepts payment in twelve currencies, and provides customer support in more than seven languages.

To learn more about FuseMail and our “Worry-Free Compliance” solutions for HIPAA, visit us at www.FuseMail.com, or contact us at 877-563-4078.

Find out more about protecting patient data and other ePHI and staying compliant with HIPAA and HITECH